Symmetric key encryption algorithms (like AES) are designed by mathematicians and cryptographers with the idea, that it should be infeasible to decrypt the ciphertext without having the encryption key. This is true for the modern secure symmetric encryption algorithms (like AES and ChaCha20) and may be disputable or false for others, which are considered insecure symmetric encryption algorithms (like DES and RC4).
Some popular symmetric encryption algorithms are: AES, ChaCha20, CAST, Twofish, IDEA, Serpent, RC5, RC6, Camellia and ARIA. All these algorithms are considered secure (when configured and used correctly).
AES (Advanced Encryption Standard, also known as Rijndael) is the most popular and widely used symmetric encryption algorithm in the modern IT industry. This is because AES is proven to be highly secure, fast and well standardised and very well supported on virtually all platforms. AES is 128-bit block cipher and uses 128, 192 or 256-bit secret keys. It is usually used in a block mode like AES-CTR or AES-GCM to process streaming data. In the most block modes AES require also a random 128-bit initial vector (IV, nonce).
Rijndael was the winner in the AES competition organized by NIST (1997-2000) and it was announced officially under the name "AES" (the next official symmetric block cipher after DES). In 2001 AES was adopted as official recommendation by the US government and no significant weakness or attack was found since this moment.
The Rijndael (AES) algorithm is free for any use: public or private, commercial or non-commercial.
Salsa20, along with its improved variants ChaCha (ChaCha8, ChaCha12, ChaCha20) and XSalsa20, are a family of modern, fast, symmetric stream ciphers, designed by the distinguished cryptographer Daniel Bernstein. The Salsa20 cipher was one of the finalists in the eSTREAM contest for designing of new symmetric stream ciphers (2004-2008) and was widely adopted afterwards, together with the related BLAKE hash function. Salsa20 and its variants are royalty-free, not patented.
The Salsa20 cipher takes as input a 128-bit or 256-bit symmetric secret key + randomly generated 64-bit nonce (initial vector) and a stream of data of unlimited length and produces as output an encrypted stream of data with the same length as the input stream. The Salsa20 cipher is typically used as authenticated encryption construction: ChaCha20-Poly1305.
Other modern secure symmetric ciphers, used more rarely than EAS and ChaCha20, but still popular in the software developer and information security communities, are the following:
- Serpent - secure symmetric-key block cipher (key size: 128, 192 or 256 bits), public domain, not patented
- Twofish - secure symmetric-key block cipher (key sizes: 128, 192 or 256 bits), royalty-free, not patented
- Camellia - secure symmetric key block cipher (block size: 128 bits; key sizes: 128, 192 and 256 bits), patented, but free for non-commercial use
- RC5 - secure symmetric-key block cipher (key size: 128 to 2040 bits; block size: 32, 64 or 128 bits; rounds: 1 ... 255), insecure with short keys (56-bit key successfully brute-forced), was patented until 2015, now royalty-free
- RC6 - secure symmetric-key block cipher, similar to RC5, but more complicated (key size: 128 to 2040 bits; block size: 32, 64 or 128 bits; rounds: 1 ... 255), was patented until 2017, now royalty-free
- IDEA - secure symmetric-key block cipher (key size: 128 bits), was patented until 2012, now royalty-free
- CAST (CAST-128 / CAST5, CAST-256 / CAST6) - family of secure symmetric-key block ciphers (key sizes: 40 ... 256 bits), royalty-free basis for commercial and non-commercial use
- ARIA - secure symmetric-key block cipher, similar to AES (key size: 128, 192 or 256 bits), official standard in South Korea, free for public use
- SM4 - secure symmetric-key block cipher, similar to AES (key size: 128 bits), official standard in China, free for public use
Some other symmetric encryption algorithms were popular in the past, but are now considered insecure (broken algorithms) or having disputable security and are not recommended to be used any more:
- DES - 56-bit key size, practically broken, can be brute-forced
- 3DES (Triple DES) - 64-bit cipher, considered broken
- RC2 - 64-bit cipher, considered broken
- RC4 - stream cipher, broken, practical attacks demonstrated
- Blowfish - old 64-bit cipher, broken, practical attacks demonstrated
- GOST - Russian 64-bit block cipher, disputable security, considered risky
In addition to the above mentioned symmetric key ciphers, cryptographers have proposed many symmetric encryption schemes (constructions), like the most popular authenticated encryption (AEAD) schemes:
- The ChaCha20 stream cipher with integrated Poly1305 authenticator (integrated authenticated AEAD encryption)
- Requires a 256-bit key and random 96-bit nonce
- Extremely high performance
- Implemented by the most modern crypto-libraries
- AES-GCM is the AES (Rijndael) block cipher in GCM block mode (integrated authenticated AEAD encryption), behaves like a stream cipher
- Required 256-bit key and random 128-bit nonce (initial vector)
- Implemented by the most modern crypto libraries
Most applications today should prefer some of the above encryption schemes for symmetric encryption, instead of constructing their own encryption scheme. The above schemes are highly-secure, proven, well tested and come out-of-the box from the crypto libraries.
Note that ChaCha20-Poly1305 is high-performance cipher (3 times faster than AES-128-GCM on mobile devices), so it is recommended to be used instead of AES-GCM.